Cyber-security bill passes the House

The House passed CISPA, the Cyber Intelligence Sharing and Protection Act, on a 248-168 vote Thursday night. The vote was originally scheduled for Friday, so it came as something of a surprise. The Senate is still conflicted about the measure, while the White House threatens a veto, saying the bill “effectively treats domestic cyber-security as an intelligence activity, and thus significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres.”

This rather neatly captures the nature of the electronic security debate. How can cyber-security not be an “intelligence activity?” But if we must treat it as such, how can we also guarantee online privacy?

The measure, which some are calling the Son of SOPA, allows internet service providers to share information with the government, including the Department of Homeland Security and the National Security Agency, about cybersecurity threats it detects on the internet. An ISP is not required to shield any personally identifying data of its customers when it believes it has detected threats, which include attack signatures, malicious code, phishing sites or botnets. In short, the measure seeks to undo privacy laws that generally forbid ISPs from disclosing customer communications with anybody else unless with a court order.

The bill immunizes ISPs from privacy lawsuits for voluntarily disclosing customer information thought to be a security threat. Internet companies are also granted anti-trust protection to immunize them against allegations of colluding on cybersecurity issues. The measure is not solely limited to cybersecurity, and includes the catchall phrase “national security” as a valid reason for turning over the data.

CISPA also allows ISPs to bypass privacy laws and share data with fellow ISPs in a bid to promptly extinguish a cyberattack.

SOPA is the Stop Online Piracy Act, which (apparently) died in Congress after massive public outcry over the damage it would have done to online privacy, and the free flow of Internet communications. While CISPA addresses security concerns, rather than intellectual property, its detractors raise similar privacy objections.

Proponents say that effective online security, particularly against large-scale coordinated attacks by enemy governments or large hacker groups, requires involvement by the intelligence community – which must have some way to gather the intel needed to track down electronic terrorists and defeat viral attacks.

The debate is really an extension of the never-ending tension between security and privacy, which existed long before the first vacuum tube was plugged in. The Internet intensifies the debate because of its enormous reach, and the speed at which the online transfer of data occurs. Some of the data CISPA makes more readily available to government agencies can already be obtained with a warrant, but the time required to obtain a warrant could hamstring efforts to deal with a rapidly evolving online threat.

On the other hand, no one can be blamed for feeling extremely nervous about the prospect of Internet service providers handing private data over to the government. This would happen largely at the discretion of the ISPs – they’re allowed to hand over data they believe pertains to a security threat, to the government or other private entities, but not required to do so. CISPA was designed to over-ride almost all other privacy laws, as well as the Terms of Service agreements consumers sign with their Internet providers, making opponents worry it’s a petri dish festering with unintended consequences.

Like every large bill, CISPA mutated as it gestated, picking up a raft of amendments in the final day of debate. One of them added the protection of children from pornography as a valid reason for the government to harvest personal data. This did nothing to reassure those who thought “national security” was already too broad of a mission. Children are often victimized by online predators, but that has nothing to do with cyber-security, and the government has proven itself very adept at justifying almost anything it wants to do by saying it’s “for the children.” The front door of CISPA was already disturbingly large, but now it has a huge back door, too.

The CISPA debate has not occurred strictly along partisan lines, although the Republican caucus in the House strongly favors it. House Speaker John Boehner claimed the White House is “in a camp all by themselves” with their veto threat. However, 28 Republicans voted against the bill, and Rep. Ron Paul (R-TX), who abstained from voting, described CISPA as “Big Brother writ large” and an “assault on Internet freedom.”

On the other hand, Democrat Dutch Ruppersberger of Maryland, who sits on the House Intelligence committee and was a steward of CISPA throughout its legislative journey, hailed Thursday night’s vote as “a victory for America” and said it brought us “one step closer to making a real difference protecting our country from a catastrophic cyber attack.”

Rep. Allen West (R-FL), who is nobody’s idea of a Big Government handmaiden, strongly supported CISPA, explaining via Twitter that “cyber-attacks have become a new dimension in the 21st century battlefield, and go beyond the military.” He added, “We must protect citizens and the intellectual property of the private sector. I support CISPA because it’s voluntary.”

SOPA suffered massive opposition from the online community, but CISPA has the support of many top Internet companies, including Microsoft, Facebook, Intel, and cyber-security giant Symantec. They cite concerns about large-scale Internet espionage, including Chinese government raids on American intellectual property.

The FBI’s outgoing head of cyber-security, Shawn Henry – who oversaw massive successful enforcement actions against hacker groups like Anonymous and LulzSec – nevertheless says “we are not winning,” because “the offense outpaces the defense, and the problem is getting bigger.” His agency recently warned that up to four million computers could get blown off the Internet in July, due to a virus cooked up by a gang of Estonian hackers.

It’s interesting to note that the White House’s preferred alternative legislation in the Senate was authored by an independent and a Republican, Joe Lieberman of Connecticut and Susan Collins of Maine. Fox News notes it would “give the Department of Homeland Security authority to set new cyber-security standards.” That’s not exactly reassuring to those who worry about the 18-wheel truck of government power barreling toward the intersection of privacy and security.